1. 14 Aug, 2020 7 commits
  2. 20 Jul, 2020 2 commits
    • Zekun Shen's avatar
      ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() · bad60b8d
      Zekun Shen authored
      The idx in __ath10k_htt_rx_ring_fill_n function lives in
      consistent dma region writable by the device. Malfunctional
      or malicious device could manipulate such idx to have a OOB
      write. Either by
          htt->rx_ring.netbufs_ring[idx] = skb;
      or by
          ath10k_htt_set_paddrs_ring(htt, paddr, idx);
      
      The idx can also be negative as it's signed, giving a large
      memory space to write to.
      
      It's possibly exploitable by corruptting a legit pointer with
      a skb pointer. And then fill skb with payload as rougue object.
      
      Part of the log here. Sometimes it appears as UAF when writing
      to a freed memory by chance.
      
       [   15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
       [   15.595483] #PF: supervisor write access in kernel mode
       [   15.596250] #PF: error_code(0x0002) - not-present page
       [   15.597013] PGD 0 P4D 0
       [   15.597395] Oops: 0002 [#1] SMP KASAN PTI
       [   15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
       [   15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
       BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
       [   15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
       [   15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
       (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
      Signed-off-by: default avatarZekun Shen <bruceshenzk@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
      bad60b8d
    • Bolarinwa Olayemi Saheed's avatar
      ath9k: Check the return value of pcie_capability_read_*() · 9a8ab2bf
      Bolarinwa Olayemi Saheed authored
      On failure pcie_capability_read_dword() sets it's last parameter, val
      to 0. However, with Patch 14/14, it is possible that val is set to ~0 on
      failure. This would introduce a bug because (x & x) == (~0 & x).
      
      This bug can be avoided without changing the function's behaviour if the
      return value of pcie_capability_read_dword is checked to confirm success.
      
      Check the return value of pcie_capability_read_dword() to ensure success.
      Suggested-by: default avatarBjorn Helgaas <bjorn@helgaas.com>
      Signed-off-by: default avatarBolarinwa Olayemi Saheed <refactormyself@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200713175529.29715-2-refactormyself@gmail.com
      9a8ab2bf
  3. 23 Jun, 2020 13 commits
  4. 16 Jun, 2020 6 commits
  5. 15 Jun, 2020 8 commits
  6. 14 Jun, 2020 4 commits
    • Linus Torvalds's avatar
      Linux 5.8-rc1 · b3a9e3b9
      Linus Torvalds authored
      b3a9e3b9
    • Linus Torvalds's avatar
      Merge tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux · 4a87b197
      Linus Torvalds authored
      Pull SafeSetID update from Micah Morton:
       "Add additional LSM hooks for SafeSetID
      
        SafeSetID is capable of making allow/deny decisions for set*uid calls
        on a system, and we want to add similar functionality for set*gid
        calls.
      
        The work to do that is not yet complete, so probably won't make it in
        for v5.8, but we are looking to get this simple patch in for v5.8
        since we have it ready.
      
        We are planning on the rest of the work for extending the SafeSetID
        LSM being merged during the v5.9 merge window"
      
      * tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux:
        security: Add LSM hooks to set*gid syscalls
      4a87b197
    • Thomas Cedeno's avatar
      security: Add LSM hooks to set*gid syscalls · 39030e13
      Thomas Cedeno authored
      The SafeSetID LSM uses the security_task_fix_setuid hook to filter
      set*uid() syscalls according to its configured security policy. In
      preparation for adding analagous support in the LSM for set*gid()
      syscalls, we add the requisite hook here. Tested by putting print
      statements in the security_task_fix_setgid hook and seeing them get hit
      during kernel boot.
      Signed-off-by: default avatarThomas Cedeno <thomascedeno@google.com>
      Signed-off-by: default avatarMicah Morton <mortonm@chromium.org>
      39030e13
    • Linus Torvalds's avatar
      Merge tag 'for-5.8-part2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 9d645db8
      Linus Torvalds authored
      Pull btrfs updates from David Sterba:
       "This reverts the direct io port to iomap infrastructure of btrfs
        merged in the first pull request. We found problems in invalidate page
        that don't seem to be fixable as regressions or without changing iomap
        code that would not affect other filesystems.
      
        There are four reverts in total, but three of them are followup
        cleanups needed to revert a43a67a2 cleanly. The result is the
        buffer head based implementation of direct io.
      
        Reverts are not great, but under current circumstances I don't see
        better options"
      
      * tag 'for-5.8-part2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Revert "btrfs: switch to iomap_dio_rw() for dio"
        Revert "fs: remove dio_end_io()"
        Revert "btrfs: remove BTRFS_INODE_READDIO_NEED_LOCK"
        Revert "btrfs: split btrfs_direct_IO to read and write part"
      9d645db8